On Mon, Jan 11, 2016 at 12:52:36PM +0100, Michal Privoznik wrote: > This API does not change domain state. It's merely like > virDomainGetXMLDesc() - and we don't reject RO connections there. > There's no reason to reject them here. This API can result in talking to the guest agent IIRC, which should be denied for read-only.

On Mon, Jan 11, 2016 at 01:20:38PM +0100, Michal Privoznik wrote: > On 11.01.2016 13:11, Daniel P. Berrange wrote: >> On Mon, Jan 11, 2016 at 12:52:36PM +0100, Michal Privoznik wrote: >>> This API does not change domain state. It's merely like >>> virDomainGetXMLDesc() - and we don't reject RO connections there. >>> There's no reason to reject them here. >> >> This API can result in talking to the guest agent IIRC, which should >> be denied for read-only. > > Ah, I see. We have the following check in the code: > > int > virDomainGetVcpusFlags(virDomainPtr domain, unsigned int flags) > { > /* ... */ > if (flags & VIR_DOMAIN_VCPU_GUEST) > virCheckReadOnlyGoto(conn->flags, error); > } > > On the other hand, virDomainGetTime() talks to guest agent and is allowed on RO connection. > > So what about the following change instead? > > diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c > index e5af933..95b797a 100644 > --- a/src/libvirt-domain.c > +++ b/src/libvirt-domain.c > @@ -11545,7 +11545,8 @@ virDomainInterfaceAddresses(virDomainPtr dom, > if (ifaces) > *ifaces = NULL; > virCheckDomainReturn(dom, -1); > - virCheckNonNullArgGoto(ifaces, error); > + if (source == VIR_DOMAIN_INTERFACE_ADDRESSES_SRC_AGENT) > + virCheckNonNullArgGoto(ifaces, error); You want to be checking the readonly flag here, not ifaces...